diff options
| author | Mark Rogaski <stigg@debian> | 2014-07-30 00:55:17 +0400 |
|---|---|---|
| committer | Mark Rogaski <stigg@debian> | 2014-07-30 00:55:17 +0400 |
| commit | 724a89c3bb2808b9f435706c03040d14f9a36f4a (patch) | |
| tree | 3cdd2ae9eb91d68ca9f288cd1460e8819c0177c6 | |
| parent | 21235a5a896d120e54c1ac34016cdefa71229b14 (diff) | |
Fixed fall-through/refusal logic.
Added the reject_on_miss option to allow fall-through for unauthenticated users.
| -rw-r--r-- | Authenticators/LDAP/LDAPauth.ini | 3 | ||||
| -rw-r--r-- | Authenticators/LDAP/LDAPauth.py | 22 |
2 files changed, 22 insertions, 3 deletions
diff --git a/Authenticators/LDAP/LDAPauth.ini b/Authenticators/LDAP/LDAPauth.ini index 9e374e8..13d065e 100644 --- a/Authenticators/LDAP/LDAPauth.ini +++ b/Authenticators/LDAP/LDAPauth.ini @@ -4,6 +4,9 @@ id_offset = 1000000000 ;Reject users if the authenticator experiences an internal error during authentication reject_on_error = True +;Reject users that are not found when bind_dn is used with non-user credentials. +;Setting this to False will cause a fall-through when the user is not found in LDAP. +reject_on_miss = True ;Ice configuration [ice] diff --git a/Authenticators/LDAP/LDAPauth.py b/Authenticators/LDAP/LDAPauth.py index dddc887..10cc57a 100644 --- a/Authenticators/LDAP/LDAPauth.py +++ b/Authenticators/LDAP/LDAPauth.py @@ -136,7 +136,8 @@ default = { 'ldap':(('ldap_uri', str, 'ldap://127.0.0.1'), ('group_attr', str, 'member')), 'user':(('id_offset', int, 1000000000), - ('reject_on_error', x2bool, True)), + ('reject_on_error', x2bool, True), + ('reject_on_miss', x2bool, True)), 'ice':(('host', str, '127.0.0.1'), ('port', int, 6502), @@ -442,6 +443,15 @@ def do_main_program(): bind_pass = pw ldap_conn.bind_s(bind_dn, bind_pass) res = ldap_conn.search_s(cfg.ldap.users_dn, ldap.SCOPE_SUBTREE, '(%s=%s)' % (cfg.ldap.username_attr, name), [cfg.ldap.number_attr, cfg.ldap.display_attr]) + if len(res) == 0: + warning("User " + name + " not found") + if cfg.user.reject_on_miss: + return (AUTH_REFUSED, None, None) + else: + return (FALL_THROUGH, None, None) + if not pw: + warning("No password supplied for user " + name) + return (AUTH_REFUSED, None, None) match = res[0] #Only interested in the first result, as there should only be one match #Parse the user information @@ -461,6 +471,12 @@ def do_main_program(): debug('User ' + name + ' failed with no group membership') return (AUTH_REFUSED, None, None) + # Second bind to test user credentials if using bind_dn. + if cfg.ldap.bind_dn: + bind_dn = "%s=%s,%s" % (cfg.ldap.username_attr, name, cfg.ldap.users_dn) + bind_pass = pw + ldap_conn.bind_s(bind_dn, bind_pass) + #Unbind and close connection ldap_conn.unbind() @@ -468,8 +484,8 @@ def do_main_program(): #LDAP bind failed - expected to happen if bad login except ldap.INVALID_CREDENTIALS: - warning("User " + name + " failed with wrong password") - return (AUTH_REFUSED, None, None) + warning("User " + name + " failed with wrong password") + return (AUTH_REFUSED, None, None) #If we get here, the login is correct. #Add the user/id combo to cache, then accept: |